Skip to main content

Filesystem, Security, Privacy, and Anonymization Features in Nitrux

By Uri Herrera22 June, 2023July 1st, 2024Tutorial

In today’s tutorial, we’ll check all the filesystem, security, privacy, and anonymization features in Nitrux.

Difficulty: ★☆☆☆☆

📜 Table of Contents

    1. Default Security Policies in Nitrux
    2. XFS Features and Root Immutability in Nitrux
    3. Using and Configuring AIDE
    4. Online Anonymization using Tor and DNSCrypt-Proxy 2
      1. Configure Torsocks for Plasma
      2. Configure Torsocks for Firefox
      3. Configure DNSCrypt-Proxy 2 system-wide
    5. Importing and OpenVPN connection in NetworkManager
    6. Ad-blocking in Nitrux using dbab
    7. File Encryption in Nitrux
    8. Using F2FS Features in Nirux
      1. Native File Compression in F2FS
      2. Native File Encryption in F2FS

Default Security Policies in Nitrux

Nitrux enables the following security features and policies by default and any encryption capabilities (enabled by Nitrux™).

  • Features:
  • Policies:
    • Disable core dumps. Core dumps are created to diagnose and debug errors in Linux applications. However, core dumps may contain sensitive info, such as passwords and user data, including PAN, SSN, or encryption keys. Also, they take up a large amount of disk space too.
    • Stricter password expiration date. Passwords are the primary key to accessing an account, related services, and data, and therefore, they need to be protected via a strong password and password expiry policy. The default expiration date of passwords in Debian is 99999 days; ours is 1111.1 times shorter.
    • Increase the number of hashing rounds for passwords. With over 60k rounds, it is more difficult to brute-force the password; by default, Debian uses 5000 rounds, which is too low for modern hardware.
    • Passwords use SHA-2 512 encryption. Contrary to Debian, which uses yescrypt by default.
    • New passwords must be made more complex. This rule is not enforced in Debian. However, it is in Nitrux starting with version 2.8.1.
    • Deactivate the root account in the Live session and on the installed system. By default, Nitrux does not add or enable a password for the root account. Any administrative tasks performed by the user must be done using sudo.
    • Enforce a stricter password quality policy. By default, we use libpwquality to increase user account security. Users must use a password over eight characters long, including uppercase, lowercase, numbers, and symbols, with sufficient randomness when creating a user account. This policy is enforced during installation and for user accounts created post-installation.
    • Enable BPF JIT hardening if the JIT is enabled: Enabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks.
    • Fill freed pages and heap objects with zeroes: Ensure that when freed, they are filled with zeroes, enhancing security by preventing data leaks through uninitialized memory.
    • Disable merging of slabs of similar sizes: Preventing the kernel from merging memory slabs of similar sizes can improve security by making it harder for attackers to exploit specific memory corruption vulnerabilities.
    • Enable Redzoning: Redzoning adds extra areas around memory slabs to detect overflows by checking if a slab is overwritten past its actual size. This helps detect buffer overflows.
    • Disable Virtual Syscalls: Disables virtual Syscalls and system calls implemented in user space for performance reasons, potentially reducing the attack surface for specific exploits.
    • Randomize kernel stack offset on syscall entry: Introduce randomness to the kernel stack offset whenever a system call is made, adding another layer of security by making it harder for attackers to predict memory addresses.
    • Enable MAC addresses randomization mode. MAC randomization can be used for increased privacy by not disclosing the actual MAC address to the network.
    • Enable IPv6 Privacy Extensions standard. With privacy extensions, the kernel generates a temporary address mangled from the original autoconfigured address. Private addresses are preferred when connecting to a remote server to hide the original address.

XFS Features and Root Immutability in Nitrux

The root partition will use the XFS filesystem. Also, this XFS formatted partition will use the following additional filesystem features (enabled by Nitrux™).

  • Allow inodes to be placed at any location on the filesystem. Storing a file’s inode in the exact location as the file’s data improves performance.

Additionally, by default, Nitrux performs filesystem checks and repairs (if needed) during boot time.

Since Nitrux 2.6.0, the root directory is set to be immutable by default, meaning no changes occur to its contents. This change allows us to provide new versions of the distribution with a higher degree of certainty that no changes have happened to the root that might cause a conflict. We also want to avoid sudden issues from upgraded packages coming from a different origin than our repository, which we have a minimal way of controlling. However, we understand that there may be cases where users need to change something in the root directory.

  • ⚠️ Important: Avoid writing data to the root as a user while using the command below, as this will cause an error when exiting the shell session that overlayroot-chroot will create. Any changes to the root directory should be explicitly done only through the shell session after running overlayroot-chroot.
    • ⚠️ Important: It’s essential to mount and then unmount /dev; otherwise, stuff like the CLI text editor we include in Nitrux (micro) will not work.
  • 🔰 Information: After making the desired modifications, type sync and exit.
sudo overlayroot-chroot

mount -t devtmpfs dev /dev

# (... do stuff...)

umount /dev

sync

exit

For the changes to be applied to the overlay, i.e., the upper directory, the computer must be rebooted, or the kernel must be loaded again using Kernel Boot (where supported); otherwise, any modifications won’t be visible.

Alternatively, users can temporarily boot with the immutability disabled. To do that, do the following steps.

  • ⚠️ Important: We must stress that the preferred method to modify the root is the above. If you know what you’re doing, use the technique below at your own risk.

    • Press E in the GRUB boot menu.
    • Using the arrow keys, navigate to the bottom and search for the kernel parameter overlayroot=tmpfs:swap=1,recurse=0, and change the parameter to overlayroot=disabled.
    • To continue the boot process, press F10.
    • After making the desired modifications, reboot.

Using and Configuring AIDE

Since Nitrux 2.6.0, the distribution’s root directory has been immutable by default; however, in Nitrux 2.8.1, the distribution includes the Advanced Intrusion Detection Environment (AIDE) as an additional security feature. “AIDE is an intrusion detection system that detects changes to files on the local system. It creates a database from the regular expression rules that it finds from the config file.” AIDE can also be configured to monitor other directories; please check the AIDE manual.

To start using AIDE, run the following command. The command below will create the database AIDE uses to compare file changes.

  • ⚠️ Important: Creating the AIDE database will take several minutes. Do not stop the process, i.e., do not close the terminal window, log out, shut down, or reboot the computer, or the process will have to be restarted.
aide -i -c /etc/aide/aide.conf
  • Next, install the newly generated database with the following command.
cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
  • After creating the database, users can run the commands below to look for changes in the root directory.
    • Run the following command to check the database after adding or editing a file to the root.
aide -C -c /etc/aide/aide.conf
  • Run the following command to check and update the database after adding or editing files in the root.
aide -u -c /etc/aide/aide.conf

Online Anonymization using Tor and DNSCrypt-Proxy 2

Since Nitrux 2.8.1, the distribution includes Tor, Torsocks, and DNSCrypt-Proxy 2 to help users protect their online presence.

  • ⚠️ Important: To use Tor, start the service in OpenRC; see our tutorial, How to create service files in Nitrux pt. 1: OpenRC.
  • 🔰 Information: When using Tor and Torsocks, the Internet speed of the connection will be slower; this is not a bug in Nitrux. The slower speed is an expected side-effect of using a proxy.

Configure Torsocks in Plasma

To use Tor (via Torsocks) in Plasma, do the following.

  • Go to System Settings→Settings→Proxy and select Use manually specified proxy configuration.
  • Go to SOCKS Proxy, type localhost, select port 9050, and click the Apply button.
    • ⚠️ Important: Not all applications will use this proxy setting, particularly Firefox and Chromium or anything derived from them. Some applications may allow the proxy to be configured in their settings.

Configure Torsocks in Firefox

To use Tor with Firefox, check “Connection settings in Firefox” on the Firefox Support website.

  • Select Manual configuration, then in SOCKS Proxy, type localhost, select port 9050, and check SOCKS v5.

Configure DNSCrypt-Proxy 2 system-wide

To use DNSCrypt-Proxy 2 system-wide, do the following.

sed -i 's+:5300+127.0.0.1:53+g' /etc/dnscrypt-proxy/dnscrypt-proxy.toml
  • Since Nitrux 3.5.0, Dnsmasq runs as a plugin of NetworkManager, to stop using it and thus free the port necessary for DNSCrypt-Proxy 2, do the following change to NetworkManager configuration.
sed -i 's+dns=dnsmasq+dns=none+g' /etc/NetworkManager/conf.d/00-dns.conf
  • Then, kill Dnsmasq. It will conflict with DNSCrypt-Proxy 2 because it will not allow it to use port 53.
sudo killall dnsmasq

Run the DNSCrypt-Proxy 2 command in the background.

sudo dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml &
  • Next, go to System Settings→Connections→Your Connection→IPv4 and select “Automatic (only addresses) as the method.
  • Then, enter the localhost address, 127.0.0.1, in the DNS Servers field. Repeat for IPv6 and click the “Apply” button.
  • Restart the service for NetworkManager.
sudo rc-service network-manager restart

Next, edit the file /etc/resolv.conf with the following:

  • ⚠️ Important: To prevent other software from overriding the file, make it immutable. 
bash -c 'cat > /etc/resolv.conf <<EOF
nameserver ::1
nameserver 127.0.0.1
options edns0 single-request-reopen
EOF'

chattr +i /etc/resolv.conf
  • Test that the DNS resolving is working. To test, run the following command.
    • Verify that the resolver is not your ISP.
dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml -resolve nxos.org
  • Finally, to test using a web browser, by default Firefox, go to the following website, DNS leak test, and click “Extended test.” Like before, check that the resolvers are not your ISP.

Please note the following when using DNSCrypt-Proxy 2.

  • ⚠️ Important: DNSCrypt-Proxy 2 will help prevent DNS leaks, however, it does not hide the IP address, this is visible when visiting the site DNS leak test. To hide the IP address use Tor or a VPN.
  • 🔰 Information: When using DNSCrypt-Proxy 2, the Internet speed of the connection will be slower; this is not a bug in Nitrux. The slower speed is an expected side-effect of using a proxy.

Importing an OpenVPN connection in NetworkManager

Since Nitrux 2.7.0, the distribution includes the OpenVPN plugin for NetworkManager. To import an OpenVPN connection using a file, i.e., example-vpn.ovpn, do the following.

  1. Open System Settings→Connections.
  2. Click the add (+) button and scroll down until you find “Import VPN connection…”
  3. Click the button “Create” and select your .ovpn file.
  4. Select the new VPN connection and ensure that in connection type “Password with certificates (TLS)” is selected, then ensure that “Save password only for this user (cipher)” is selected for the secret key and VPN passwords.
  5. Activate the connection from the Connection settings (right-click → connect) or use the network icon in the system tray.
    • ⚠️ Important: If you use some public VPNs to protect your privacy, there are good chances that you might get a public IP address or at least be exposed to external connections. Once you have a public VPN enabled, you’re not protected anymore with the firewalls in front of your computer. Nitrux already uses UFW and is enabled by default to ignore incoming connections to alleviate this issue.
    • ⚠️ Important: Activating the connection immediately will cause a second dialog window to appear asking for the password for the VPN again after entering both passwords. To avoid this log out and log in or reboot after adding the VPN connection.
  6. A dialog window will appear asking for two passwords, one is the VPN password and the other is the secret key. Enter the password for the VPN and a password for the secret key.
    • 🔰 Information: The password for the user account can be used as the password for the secret key.
  7. (Optional) Pair the VPN with the main connection to automatically connect to the VPN. Go to System Settings→Connections→Your Connection→General configuration, check the box “Connect automatically to VPN,” select the VPN, and click “Apply”.

Please note the following when importing an OpenVPN connection.

  • ⚠️ Important: IPv6 support depends on the VPN provider; this is not a bug in Nitrux. If the provider doesn’t support IPv6 tunneling turn off IPv6 on the main connection. Go to System Settings→Connections→Your Connection→IPv6, select “Ignored” as the method, and click “Apply”.

Ad-blocking in Nitrux using dbab

Since Nitrux 2.9.0, the distribution includes dbab, a Dnsmasq-based ad-blocking utility using Pixelserv. “dbab provides a solution for the SOHO service environment and smoothly integrates DHCP, DNS, local caching, and Ad blocking into harmony. Adblocking is done by DNSmasq + Pixelserv, i.e., done at the DNS level — all requests to ad sites are blocked right there at DNS.” Features include the following.

  • Work at the DNS level. Leave the web pages intact, without pattern matching, string substitution, or/or replacing HTML elements.
  • Serve instantly. All ads will be replaced by a 1×1 pixel gif image served locally by the dbab-svr pixel server.
  • Maintenance free. You don’t need to maintain the list of ad sites yourself. The block list can be downloaded from pgl.yoyo.org periodically. If you don’t like some of the entries, you can quickly add to or remove them from that list.

To download an updated block list, run the following command.

dbab-get-list

To manually add or remove a domain from the block list, edit the following file.

micro /etc/dnsmasq.d/dbab-map.adblock.conf

For Dnsmasq to use the lists created by dbab, these must be available in the correct directory; create a symlink to the directory /etc/NetworkManager/dnsmasq.d for each file if they don’t exist. Then, after any changes to the block list, restart Dnsmasq.

  • 🔰 Information: Since Nitrux 3.5.0, Dnsmasq runs as a plugin of NetworkManager, so Dnsmasq will not load files from the directory /etc/dnsmasq.d but from /etc/NetworkManager/dnsmasq.d; create links to load the desired configuration files if they don’t exist. 
ln -sv /etc/dnsmasq.d/dbab-map.adblock.conf /etc/NetworkManager/dnsmasq.d/dbab-map.adblock.conf
ln -sv /etc/dnsmasq.d/dbab-map.trashsites.conf /etc/NetworkManager/dnsmasq.d/dbab-map.trashsites.conf
  • 🔰 Information: Since Nitrux 3.5.0, Dnsmasq runs as a plugin of NetworkManager. To reload the Dnsmasq configuration, disconnect from the network using the GUI, and restart the NetworkManager service. After restarting the service, close and reopen applications connected to the Internet such as web browsers.
sudo rc-service network-manager restart

Finally, run dbab-svr to initialize the Pixelserv server.

sudo dbab-svr &

Optionally, enable the service file that starts dbab. To do this, run the following command.

rc-update add dbab-openrc async

rc-update -u

File Encryption in Nitrux

Nitrux provides multiple ways to encrypt data, including block-device using dm-crypt; see Installing Nitrux, filesystem-level using f2fscrypt and userland encryption tools like fscrypt and Plasma Vaults.

  • As its name suggests, Plasma Vaults is tightly integrated with Plasma Desktop and can be accessed from the system tray.
    • To create a new vault, click the system tray applet, then click ‘Create a new vault’ and follow the setup wizard.
    • Plasma Vault supports the following encryption “engines,” CryFS (default), EncFS (suitable for offline use), and gocryptfs (recommended).
  • A non-GUI option is fscrypt. fscrypt (not to be confused with f2fscrypt) is a tool for managing the native file encryption support of the ext4, F2FS, and UBIFS file systems.

Using F2FS Features in Nitrux

Since Nitrux 2.8.0, the home and /var/lib partitions will use F2FS instead of XFS. These F2FS-formatted partitions will also use the following additional filesystem features (enabled by Nitrux™).

  • Compression using zstd with compression at level 6. The primary goal is reducing writes to extend the flash lifetime and, potentially, a slight increase in performance.
  • Verification of compressed blocks using a checksum to avoid corruption.
  • Enable a better garbage collector and asynchronous garbage collection.
  • Avoid synchronously updating access or modification times, which improves I/O performance and flash durability.
  • Native F2FS file encryption. Encryption is applied at the directory level, and different directories can use different encryption keys. To use F2FS’s native encryption support.

Native File Compression in F2FS

F2FS allows the user to compress directories on-demand; to do this, run the following command.

chattr -R +c $DIRECTORY

Native File Encryption in F2FS

F2FS allows the user to use its native encryption capabilities through f2fscrypt and fscrypt.

  • If using f2fscrypt, do the following.
    • First, create the key in the keyring using a simple salt (or generate a random salt).
f2fscrypt add_key -S 0x1234
Enter passphrase (echo disabled):
Added key with descriptor [28e21cc0c4393da1]
  • Then, use it to set the policy for the directory to be encrypted.
f2fscrypt set_policy 28e21cc0c4393da1 /encrypted/dir
Key with descriptor [28e21cc0c4393da1] applied to /encrypted/dir.
  • After each reboot, the same command can be used to set the key for decrypting the directory and child directories.
f2fscrypt get_policy /encrypted/dir/
/encrypted/dir/: 28e21cc0c4393da1
  • If using fscrypt, do the following.
      • 🔰 Information: fscrypt is the preferred option over f2fscrypt; while both can manage F2FS native encryption features, f2fscrypt is deemed missing many essential features and is no longer actively developed.
    • Run fscrypt so that it creates its configuration file and work directory.
sudo fscrypt setup
  • Then, run the following command since the file system on which encryption is to be used is not the root file system.
    • Where $MOUNTPOINT is where the file system is mounted, e.g.,/home.
sudo fscrypt setup $MOUNTPOINT
  • This creates the $MOUNTPOINT/.fscrypt directory to store fscrypt policies and protectors.
    • ⚠️ Important: Never delete the .fscrypt directory; otherwise, ALL access to encrypted files will be lost.

That’s it; this concludes today’s tutorial.

Post Views: 1,026
Next Post